Question about creating custom conn logs.

Hi all,

I was wondering if someone can point me in the right direction
regarding creating custom connection logs in Bro. I'm sorry in
advance if this is a question already asked before, but I could not
find the answer or something remotely close to an answer. I want to
add some fields to current conn.<tag>.log files (namely for instance
tcp sequence numbers) for all tcp connections or I want to create new
connection log files with new fields. I have written new function
(similar to record_connection()) in <hostname>.bro file as well as new
event calling that function. The log files get created, but nothing
is ever logged into them.

I guess my question would be, how do I create an event calling this
function that will just record all tcp network traffic into customized
log files? I really don't want to do anything special to it, I just
want to log the traffic with the format I defined in the function. I
have been using pkt_hdr, ip_hdr, tcp_hdr, udp_hdr data types from
bro.init to add additional fields in fmt(). If you can just give me a
quick format of the event that would do that, it would help
tremendously, I can do the rest myself.

I hope this is enough information, if not please let me know. Thank
you in advance for any help.

Regards,
Alen

Alen,

I'm not a bro expert, just a novice user, but here's what I think.

First, if you have questions about your code, post the code. It's hard
to tell what exactly you're doing from the description.

You don't need to create an event to do what you want. Rather, you create
an *event handler*. Bro generates the events, and runs your handler
at the appropriate time. For example, here's an event handler
that gets run when a connection is finished, that is, this is a
handler for the built-in 'connection_finished' event. The handler
receives a single parameter, which is a connection record.

event connection_finished(c: connection) {
     print fmt("conn %s:%d -> %s:%d",
                c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p) ;
}

Print this to a file, and that is a minimal example of a custom
connection logging policy.

(note that in a real app, connection_finished is not the event
you want, since it will not run for a connection that never
finishes explicitly (FIN). The event connection_state_remove
fires shortly after connection_finished, or when an unfinished
connection is timed out)

As far as logging sequence numbers, keep in mind that connections
are at a different level of abstraction than sequence numbers,
which exist at the packet level. The bro 'connection' record
has no record of any individual packets. To get sequence numbers,
you need to write handlers for packet-level events.

Here's an example of a policy that would record the sequence
number of the SYN packet for a connection. Note that the built-in
event 'new_packet' is passed parameters of connection record and
the packet, so you can correlate packets with connections.

global conns_syn_seq: table[conn_id] of count;

event new_packet(c: connection, p: pkt_hdr) {
     # keep the SYN sequence number
     if ( p$tcp$flags == 2 )
         conns_syn_seq[c$id] = p$tcp$seq;
}

event connection_finished(c: connection) {
     print fmt("conn %s:%d -> %s:%d (SYNseq#=%d)",
               c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p,
               conns_syn_seq[c$id] );
}

Mark

Alen Capalik wrote: